There's no need to edit this side of the layout because it automatically generates a table of contents based on the headings on the page.

 

 

 

 

 

 

Create a subkey to use with SSH. Does not address setting up an agent to make this useful.

Prerequisites

  • Functional GPG setup with an existing keyring
  • Basic level command-line skill

Create the subkey

  1. Open a terminal

  2. Run gpg to open the gpg subshell

    $ gpg --expert --edit-key 0xF63D830E71933501
Secret key is available
sec rsa2048/0xF63D830E71933501
created: 2016-02-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/0xF298FDA5E820823A
created: 2016-02-09 expires: never usage: E
[ultimate] (1). Paul newman <coolHand@vt.edu>

  3. Run the subcommand addkey

    gpg> addkey

  4. If you are running GnuPG classic (1.4) or stable (2.0), then you will be prompted for the master passphrase now. Enter it.

  5. Choose an RSA key type with custom capabilities (option 8).

    Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

    Recent releases of openSSH depreciated DSA host and user keys. Do NOT choose (7) DSA.

    If you are using GnuPG modern (2.1), you will also have the option to use an elliptic-curve cryptography (ECC) key.

    ECC is thought to be more secure than RSA, however it is relatively new. Only choose this option if you know what you are doing. A few things to consider:

    • ECC has not had as much time to be vetted as RSA. New analyses may bring vulnerabilities to light.
    • You may hit compatibility issues
    • If you plan on using this key with a smart card, check the capabilities of the smart card.
    • Some of the options in creating your key will be different from this guide
    • Choose your curve carefully.

  6. Set allowed actions to authenticate only

    Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished
Your selection? e
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished
Your selection? a
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished
Your selection? q

  7. Set the key size (at least 2048)

    RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits

    It may seem like a 4096 bit RSA keys would be twice as secure as a 2048 bit RSA keys, but this is not true. 2048 bit RSA keys contains about 112 bits of security, while 4096 bit RSA keys contain only about 129 bits of security.

    2048 bit RSA keys are thought to be sufficiently secure until about 2030.

    If you want to use this key on a smart card, check the capabilities of your card. A Yubikey NEO only supports up to 2048 bits, but a Yubikey 4 supports RSA 4096.

  8. Set initial expiration of the key

    Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y

    This is not a hard expiration. As long as you have the private key, you can issue a new signature on the key, indicating that it is valid for some extension of time.

  9. Confirm the key expiration

    Key expires at Thu 09 Feb 2017 03:06:46 PM EST
Is this correct? (y/N) y

  10. Confirm you really do want to create the key

    Really create? (y/N) y

  11. If you are running GnuPG modern (2.1), you will be promoted to enter a passphrase for this subkey. Reusing the passphrase from the master key is recommended. Either way, it should be strong, and memorable. If prompted, enter the passphrase for the master key.